On 2014-08-25 Mon 21:40 PM |, giacomo wrote: > > > > Join the Postfix users mailing list (http://www.postfix.org/lists.html) > > > > Send them a problem description & the output of both: > > $ postconf -nf > > $ postconf -Mf
REALLY: Join the Postfix users mailing list and send them the output. > > > > Sorry I can help further as I don't use SSL with SMTP as it can't be > > enforced throughout a message's life - therefore I consider it a false > > sense of security. > > Which is a solution, for you, to increase the security for connections from > the outside > , for example with a portable device (laptop,smartphone, etc) using a OpenBSD > system? > SMTP is not a point to point protocol, it is a redundant store & forward protocol. SSL/TLS was an afterthought, and may be optionally negotiated for each hop. The security of the channel is never guaranteed for each leg of the journey. And the next hop never promises to encrypt the onward connection. Mail gateways may accept an encrypted connection & forward it in clear text to a LAN M$ exchange, Solaris or Loonix box. You don't know. Some organisations also use 3rd party off-site MX backup boxes as well. Who knows what they do with mail, and what route they forward it onwards by. Want proof? Send me a mail from your SSL/TLS MTA & watch the logs as the message is sent in clear text to Scotland. I'll reply and you'll see from your logs that your fancy SSL set up is ignored, and the message is accepted by your box in plain text. Even if the message does (by random chance) happen to travel via an encrypted channel, it then sits in clear text on Goatmail, Snotmail, Yahtwits or AOL.con's servers for government agencies around the world to read - years after it is 'deleted'. SMTP is resilient, but insecure. The best that can be done is to have the user PGP encrypt their message before sending. To protect the user's authentication credentials on port 587 is to use rather weak digest auth. e.g: 250-AUTH CRAM-MD5 NOT: 250-AUTH PLAIN 250-AUTH LOGIN Using SSL for SMTP-submission, IMAP or POP is to deceive users into thinking their mail is secure. It is a lie. Otherwise, both ssh to a box & chat locally. Or use something like SILC: http://en.wikipedia.org/wiki/SILC_%28protocol%29
